HP UX Identity Security Software instruction

For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide.

Parameter	Description
Entry DN	cn=config
Valid Range	1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value	3600
Syntax	Integer
Example	passwordLockoutDuration: 3600

2.3.1.113 passwordMaxAge (Password maximum age)

Indicates the number of seconds after which user passwords expire. To use this attribute, password expiration has to be enabled using the passwordExp attribute.

For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide.

Parameter	Description
Entry DN	cn=config
Valid Range	1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value	8640000 (100 days)
Syntax	Integer
Example	passwordMaxAge: 100

2.3.1.114 passwordMaxFailure (Maximum password failures)

Indicates the number of failed bind attempts after which a user is locked out of the directory. By default, account lockout is disabled. Enable account lockout by modifying the passwordLockout attribute.

For more information on password policies, see the "Managing Users and Passwords" chapter in the HP-UX Directory Server administrator guide.

Parameter	Description
Entry DN	cn=config
Valid Range	1 to maximum integer bind failures
Default Value	3
Syntax	Integer
Example	passwordMaxFailure: 3

2.3.1.115 passwordMaxRepeats (Password syntax)

Maximum number of times the same character can appear sequentially in the password. Zero (0) is off. Integer values reject any password which used a character more than that number of

66 Core server configuration reference

Image 66

HP UX Identity Security Software manual PasswordMaxAge Password maximum age, PasswordMaxFailure Maximum password failures

Contents

HP-UX Directory Server Version Page Table of Contents Table of Contents Table of Contents Nsssl3ciphers 3.33.4 Nsslapd-state Nsslapd-backend 113 Nsslapd-pluginEnabled Password Storage SchemesSchema reload plug-in Nsslapd-idl-switch NsMaxResponseDelay Cn=userRoot, cn=ldbm database, cn=plugins, cn=configCn=ldbm database, cn=plugins, cn=config NsMaxTestResponseDelay 169 173 189 Finding and executing command-line scripts 215 215239 243 247257 Page Directory Server configuration Directory Server configurationUsing Directory Server command-line utilities Directory Server instance file reference Using Directory Server command-line scripts Introduction Overview of the Directory Server configuration Ldif and schema configuration files Directory Server Ldif configuration files Configuration of plug-in functionality How the server configuration is organizedConfiguration attributes Directory Server Ldif configuration files Configuration of databases Accessing and modifying server configurationAccess control for configuration entries Configuration of indexes Changing configuration attributes Modifying configuration entries using LdapWhere Core server configuration attributes reference Configuration changes requiring server restart 1 cn=config Nsslapd-accesslog Access log Nsslapd-accesslog-logbuffering Log buffering Nsslapd-accesslog-level Access log levelNsslapd-accesslog-list List of access log files Attribute values for enabling or disabling access logging Valid Values Nsslapd-accesslog-logging-enabled Access log enable loggingDefault Value Syntax Directory String Example Valid Range EntryDN Cn=config Valid Range Disk space allowed to the access log is unlimited in sizeSyntaxDirectoryString Example Syntax DirectoryString Example Nsslapd-accesslog-logrotationtime Access log rotation time Nsslapd-accesslog-maxlogsize Access log maximum log size Nsslapd-accesslog-mode Access log file permission SyntaxInteger Example Nsslapd-attribute-name-exceptions ValidRange Through Default Value 600 Syntax Integer ExampleDefault Value Off Syntax DirectoryString Example Nsslapd-auditlog Audit log Provides a list of audit log files Nsslapd-auditlog-listAttribute values for enabling or disabling audit logging EntryDN Turns audit logging on and off Nsslapd-auditlog-logging-enabled Audit log enable loggingEntry DN Cn=config Valid Values Disk space allowed to the audit log is unlimited in size Valid Range Through Default Value Syntax Integer Example Nsslapd-auditlog-logrotationsynchour Nsslapd-auditlog-logrotationtime Audit log rotation time Syntax Integer Example Nsslapd-auditlog-logrotationsyncminTime between audit log file rotation is unlimited Nsslapd-auditlog-maxlogsize Audit log maximum log size Nsslapd-auditlog-mode Audit log file permissionNone Read only Execute only Nsslapd-certmap-basedn Certificate map search base Write access to the server user IDNsslapd-certdir Certificate and key database directory Write only Read and write Write and execute Nsslapd-conntablesize Nsslapd-configThis read-only attribute is the config DN Nsslapd-counters Default Value Off Core server configuration reference Nsslapd-ds4-compatible-schemaDefault Value Syntax DirectoryString Example Nsslapd-csnlogging Nsslapd-errorlog Error log Nsslapd-errorlog-level Error log levelAttribute values for enabling or disabling error logging Nsslapd-errorlog-list This read-only attribute provides a list of error log files Nsslapd-errorlog-logging-enabled Enable error logging Turns error logging on and off Disk space allowed to the error log is unlimited in size Nsslapd-errorlog-logrotationtime Error log rotation time Time between error log file rotation is unlimited Nsslapd-errorlog-maxlogsize Maximum error log size Nsslapd-errorlog-mode Error log file permission Nsslapd-idletimeout Default idle timeoutNsslapd-groupevalnestlevel Nsslapd-instancedir Instance directory Nsslapd-ioblocktimeout IO block time outDefault Value Syntax Integer Example Nsslapd-idletimeout Nsslapd-lastmod Track modification time Nsslapd-ldapilisten Enable Ldapi socket Nsslapd-ldapifilepath Ldapi socket file pathNsslapd-listenhost Listen to IP address Nsslapd-localuser Local user Default Value SyntaxDirectoryString ExampleNsslapd-localhost Local host Nsslapd-lockdir Server lock file directory Nsslapd-maxbersize Maximum message size Nsslapd-maxdescriptors Maximum file descriptors Nsslapd-maxsasliosize Maximum Sasl packet size Nsslapd-maxthreadsperconn Maximum threads per connection Nsslapd-nagleThis attribute value is specified in bytes Nsslapd-plugin Nsslapd-outbound-ldap-io-timeoutDefault Value Core server configuration reference Nsslapd-port Port number Nsslapd-readonly Read only Nsslapd-referral ReferralBut the request is for this entry Nsslapd-referralmode Referral mode Nsslapd-reservedescriptors Reserved file descriptors Nsslapd-return-exact-case Return exact case Nsslapd-rewrite-rfc1274 Nsslapd-rootpw Root password Default Value SyntaxNsslapd-rootdn Manager DN Nsslapd-rootpwstoragescheme Root password storage scheme Nsslapd-saslpath Nsslapd-schemacheck Schema checking Nsslapd-schemadir Nsslapd-schemareplace Nsslapd-securelistenhostNsslapd-securePort Encrypted port number Nsslapd-security Security Nsslapd-sizelimit Size limit Default Value Syntax Integer Example Nsslapd-threadnumber Nsslapd-threadnumber Thread numberNsslapd-timelimit Time limit Nsslapd-tmpdir PasswordChange Password changeIndicates whether users may change their passwords Nsslapd-versionstring PasswordCheckSyntax Check password syntax PasswordExp Password expiration PasswordInHistory Number of passwords to remember PasswordGraceLimit Password expirationPasswordHistory Password history Default Value Syntax Integer Example PasswordGraceLimit PasswordIsGlobalPolicy Password policy and replication PasswordLockout Account lockoutPasswordLockoutDuration Lockout duration PasswordMaxRepeats Password syntax PasswordMaxAge Password maximum agePasswordMaxFailure Maximum password failures Default Value Syntax Integer Example PasswordMaxFailure PasswordMin8Bit Password syntax PasswordMinAge Password minimum ageDefault Value Syntax Integer Example PasswordMinAge PasswordMinDigits Password syntax PasswordMinAlphas Password syntaxPasswordMinCategories Password syntax PasswordMinLength Password minimum length PasswordMinLowers Password syntax PasswordMinSpecials Password syntaxPasswordMinTokenLength Password syntax PasswordMinUppers Password syntax PasswordMustChange Password must changePasswordStorageScheme Password storage scheme PasswordUnlock Unlock account PasswordWarning Send warning 2 cn=changelog5,cn=config Nsslapd-changelogdir Nsslapd-changelogmaxage Max changelog age 3 cn=encryption,cn=configNssslsessiontimeout Nsslapd-changelogmaxentries Max changelog records Nssslclientauth Means disallow certificate-based authenticationDefault Value Off Syntax DirectoryString Example Nsssl2 off NsSSL2 Suffix configuration attributes under cn=suffixName 4 cn=features,cn=config5 cn=mapping tree,cn=config Nsssl3ciphers Determines how the suffix handles operations Nsslapd-stateNsslapd-backend To requests made by client applications NsDS5Flags NsDS5ReplicaBindDNNsDS5ReplicaChangeCount NsDS5ReplicaLegacyConsumer NsDS5ReplicaPurgeDelayNsDS5ReplicaId NsDS5ReplicaName NsDS5ReplicaReferral NsDS5ReplicaRootNsDS5ReplicaTombstonePurgeInterval NsDS5ReplicaType NsDS5ReplicaReapActiveNsState NsDS5ReplConflict 8.1 cnDescription NsDS5ReplicaBindMethod NsDS5ReplicaBusyWaitTime NsDS5ReplicaCredentials SchemaNsDS5ReplicaChangesSentSinceStartup NsDS5ReplicaHost NsDS5ReplicaLastInitStatus NsDS5ReplicaLastInitEndNsDS5ReplicaLastInitStart Time NsDS5ReplicaLastUpdateStatus NsDS5ReplicaLastUpdateEndNsDS5ReplicaLastUpdateStart NsDS5ReplicaPort Default Value SyntaxInteger ExamplensDS5ReplicaPort389 NsDS5ReplicaPriority NsDS5BeginReplicaRefresh NsDS5ReplicaSessionPauseTime NsDS5ReplicaTimeout Valid Range Default Value SyntaxDirectoryString ExampleNsDS5ReplicatedAttributeList NsDS5ReplicaUpdateInProgress NsDS5ReplicaUpdateScheduleNsDS5ReplicaTransportInfo NsDS5ReplicaLastUpdateEnd NsDS50ruvSunday Nsds7DirectoryReplicaSubtree Nsds7NewWinGroupSyncEnabledNsds7NewWinUserSyncEnabled Nsds7DirsyncCookie Nsds7WindowsReplicaSubtree 10 cn=monitorNsds7WindowsDomain WinSyncInterval Greenwich Mean Time For exampleConnection table This is the number of completed operations This attribute sets whether Snmp is enabled 12 cn=SNMP,cn=configNssnmpenabled 11 cn=replication Nssnmpcontact NssnmporganizationNssnmplocation Nssnmpdescription Nssnmpmasterport Snmp statistic attributesNssnmpmasterhost Snmp statistic attributes 14 cn=tasks,cn=config Snmp statistic attributes Task invocation attributes for entries under cn=tasks Entry DN 14.2 cn=import,cn=tasks,cn=config Default Value Syntax DirectoryString Example Ttl NsFilename file1.ldif NsFilename file2.ldif Default Value Syntax Integer Example NsImportChunkSize 14.3 cn=export,cn=tasks,cn=config Valid Values Any DN Core server configuration reference Syntax Case-insensitive string Example NsExportReplica true Default Value Syntax DN, multi-valued ExampleSyntax Case-insensitive string Example NsUseOneFile true Syntax Case-insensitive string Example NsPrintKey false Syntax Case-insensitive string Example NsNoWrap false 14.4 cn=backup,cn=tasks,cn=configSyntax Case-insensitive string Example NsUseId2Entry true Syntax Case-insensitive string Example NsDumpUniqId true 14.5 cn=restore,cn=tasks,cn=config 14.6 cn=index,cn=tasks,cn=config Syntax Case-exact string Example 14.7 cn=schema reload task,cn=tasks,cn=config NsIndexAttribute attributeindex1,index2 14.8 cn=memberof task,cn=tasks,cn=config 15 cn=uniqueid generator,cn=config 112 Server plug-in functionality reference 1 7-bit check plug-inServer plug-in functionality reference ACL plug-in ACL preoperation plug-inAttribute uniqueness plug-in Binary syntax plug-in Boolean syntax plug-in Case exact string syntax plug-in Plug-in Name Chaining Database DN of Configuration EntryDescription Syntax for handling DNs Configurable Options Case ignore string syntax plug-in Distinguished name syntax plug-in Class of service plug-inCountry string syntax plug-in Dependencies None Performance Related Details of distributed numeric assignment plug-in Distributed numeric assignment plug-inGeneralized time syntax plug-in Plug-in Name Http client plug-in Internationalization plug-in Legacy replication plug-in Jpeg syntax plug-inLdbm database plug-in Information Further Information MemberOf plug-in Multi-master replication plug-inDetails of MemberOf plug-in Password Storage Schemes Octet string syntax plug-inOID syntax plug-in Password storage plugins Postal address string syntax plug-in PTA plug-in Referential integrity postoperation plug-in Both presence and equality Retro Changelog plug-inRoles plug-in Applications Schema reload plug-in Details of schema reload plug-inSpace insensitive string syntax plug-in Views plug-in Telephone syntax plug-inURI syntax plug-in Resource Locators Nsslapd-pluginPath List of attributes common to all plug-insAccount policy plug-in This attribute specifies the full path to the plug-in Nsslapd-pluginType Nsslapd-pluginEnabledNsslapd-pluginInitfunc Nsslapd-pluginId Nsslapd-pluginVendor Attributes allowed by certain plug-insNsslapd-pluginVersion Nsslapd-pluginDescription Nsslapd-pluginLoadGlobal Nsslapd-plugin-depends-on-typeNsslapd-plugin-depends-on-named Database plug-in attributes NsLookthroughLimit Nsslapd-cache-autosize Nsslapd-cache-autosize-split Nsslapd-dbcachesize Nsslapd-db-checkpoint-intervalPlatforms Nsslapd-db-debug Default Value Database plug-in attributesNsslapd-db-circular-logging Nsslapd-db-durable-transactions Nsslapd-db-home-directory Nsslapd-db-idl-divisor Automatically adjusted to the minimum value Nsslapd-db-logbuf-sizeNsslapd-db-logdirectory Nsslapd-db-page-size Valid Range Bytes to 64 kilobytes Default ValueNsslapd-db-logfile-size Nsslapd-db-private-import-mem Nsslapd-db-spin-count Nsslapd-db-transaction-batch-val Nsslapd-db-trickle-percentage Nsslapd-db-verboseNsslapd-dbncache Nsslapd-idl-switch Nsslapd-directoryNsslapd-exclude-from-export Nsslapd-idlistscanlimit Nsslapd-import-cachesizeNsslapd-import-cache-autosize Nsslapd-mode No access for other usersDefault Value 600 Database plug-in attributes Memory to importCache Nsslapd-search-bypass-filter-test Nsslapd-search-use-vlv-indexNsslapd-serial-lock Nsslapd-cachesize Nsslapd-cachememsize Nsslapd-readonly Nsslapd-require-indexNsslapd-suffix Database plug-in attributes 5.1 cn NsSystemIndexThis attribute provides the name of the attribute to index NsIndexType NsMatchingRule NsSubStrBegin Indexed attribute representing a subentry NsSubStrEnd NsSubStrMiddle Encrypted attributes under the cn=config node NsActiveChainingComponents Database link plug-in attributes chaining attributesNsEncryptionAlgorithm Database link plug-in attributes chaining attributes NsMaxResponseDelay NsMaxTestResponseDelayNspossiblechainingcomponents NsTransmittedControls NsAbandonedSearchCheckIntervalNsBindConnectionsLimit NsBindRetryLimit NsBindTimeoutDefault Value Syntax Integer Example NsCheckLocalACI NsConnectionLife NsConcurrentBindLimitNsConcurrentOperationsLimit NsOperationConnectionsLimit NsProxiedAuthorization NsReferralOnScopedSearchNsSizeLimit NsTimeLimit NsBindMechanism NsFarmServerURL NsMultiplexorBindDNValid Values Empty Nshoplimit Encryption schemaNsMultiplexorCredentials NsUseStartTLS Retro changelog plug-in attributes Nsslapd-changelogdir DnaFilter Distributed numeric assignment plug-in attributesNsslapd-changelogmaxage Max changelog age DnaMagicRegen DnaMaxValue DnaNextRangeDnaNextValue DnaPrefix DnaRangeRequestTimeoutDefault Value Syntax Integer Example DnaNextValue Bit systems DnaScope DnaSharedCfgDNDnaThreshold Memberofattr MemberOf plug-in attributesDnaType Memberofgroupattr Account policy plug-in attributes Overview of Directory Server files Backup filesConfiguration files Database files Used internally by the database and should not be moved Setup-ds-admin.plscript is runAt setup for example, dc=example,dc=com Deleted, or modified in any way Log files Ldif filesLock files PID files Tools Scripts Access log reference Access logging levels Connection number Default access logging contentExample 5-1 Example access log File descriptor Operation number Error numberSlot number Method type Number of entries Elapsed timeLdap request type VLV-related entries Unindexed search indicatorLdap response type Search scope Abandon message Extended operation OIDChange sequence number LDAPv3 extended operations supported by Directory Server Access log content for additional access logging levels Message IDSasl multi-stage bind logging Common connection codes Connection descriptionOptions description Error log levels Error log referenceError log logging levels Common connection codes Error log content Error log levels Error log content for other log levels Example 5-3 Error log excerpt Example 5-4 Replication error log entry Into pending list Timestamp Pluginname message Timestamp function message Example 5-6 Config file processing log entry Example 5-7 Access control summary loggingAudit log reference Audit log does not have any other log level to set Example 5-8 Audit log contentLdap result codes Ldap result codes Referral Ldap Adminlimitexceeded LdapLdap result codes Ldap Command-line utilities quick reference Finding and executing command-line utilitiesUsing special characters Commonly-used command-line utilities Commonly-used ldapsearch options LdapsearchLdapsearch syntax Ldapsearch syntax Commonly-used ldapsearch options Commonly-used ldapsearch options Persistent search optionsLdapsearch SSL options Persistent search options Ldapsearch Sasl options Additional SSL ldapsearch options Sasl options Description of CRAM-MD5 mechanism options Do not permit mechanisms susceptible to active attacks Do not permit mechanisms that allow anonymous accessDescription of CRAM-MD5 mechanism options Require forward secrecy Maxbufsize Description of DIGEST-MD5 Sasl mechanism options Required Mech=DIGEST-MD5 Gives the Sasl MechanismFollowing UID. For example Additional ldapsearch options Description of Gssapi Sasl mechanism options10 Additional ldapsearch options 10 Additional ldapsearch options Commonly-used ldapmodify options LdapmodifyLdapmodify syntax 11 Commonly-used ldapmodify options Ldapmodify SSL options 11 Commonly-used ldapmodify options12 ldapmodify SSL options Ldapmodify Sasl options 12 ldapmodify SSL options13 Sasl options Ldapdelete Additional ldapmodify options14 Additional ldapmodify options Ldapdelete SSL options Ldapdelete syntaxCommonly-used ldapdelete options 15 Commonly-used ldapdelete options Ldapdelete Sasl options 16 ldapdelete SSL options17 Sasl options Ldappasswd syntax LdappasswdAdditional ldapdelete options 18 Additional ldapdelete options 19 ldappasswd-specific options Ldappasswd-specific optionsGeneral ldappasswd options 20 General ldappasswd options Ldappasswd Sasl options 20 General ldappasswd options Ldappasswd examples 21 Sasl optionsSix values Ldif Example 6-2 Directory Manager generating a users passwordExample 6-3 User changing his own password Ldif Ldif syntax Ldif command has the following formatDbscan Ldif options 23 Common options Dbscan optionsDbscan examples 24 Entry file options Example 6-14 Dumping the index file uid.db4 with raw mode Example 6-8 Displaying VLV index file contentsExample 6-13 Displaying the changelog file contents Example 6-7 Dumping the entry file Saveconfig Finding and executing command-line scriptsCommand-line scripts quick reference Shell scripts in /opt/dirsrv/slapd-instancename Scripts in /opt/dirsrv/bin Shell scriptsPerl scripts in /opt/dirsrv/slapd-instancename This section covers the following scripts Syntax 1 bak2db Restores a database from backupCl-dump Dumps and decodes the changelog Bak2db options Options Dbverify Checks for corrupt databasesCl-dump options Dbverify options 4 db2bak Creates a backup of a database 5 db2ldif Exports database contents to Ldif Reindex cn and givenname in the database instance userRoot 6 db2index Reindexes database index filesLdif2db Import Db2index options Ldif2db options Pwdhash Prints encrypted passwordsLdif2ldap Performs import operation over Ldap 10 ldif2ldap options 11 pwdhash options Monitor Retrieves monitoring informationRepl-monitor Monitors replication status Syntax monitor Hostportbinddnbindpwdbindcert Restoreconfig Restores Administration Server configuration Saveconfig Saves Administration Server configurationRestart-slapd Restarts the Directory Server Suffix2instance Maps a suffix to a backend name Start-slapd Starts the Directory ServerStop-slapd Stops the Directory Server Vlvindex Creates virtual list view indexes Perl scripts 1 bak2db.pl Restores a database from backupRestores a database from a backup Options Either the -nor the -soption must be specified Creates a backup of the database 3 db2bak.pl Creates a backup of a database19 cl-dump.pl command options Cl-dump.pl Dumps and decodes the changelog 5 db2ldif.pl Exports database contents to Ldif 4 db2index.pl Creates and generates indexes Fixup-memberof.pl Regenerate memberOf attributes 22 db2ldif.pl options Ldif2db.pl Import 23 fixup-memberof.pl options24 ldif2db.pl options 25 Information extracted from access logs Logconv.pl Log converter24 ldif2db.pl options 26 logconv.pl options Ns-accountstatus.pl Establishes account status 27 logconv.pl options to display occurrences28 ns-accountstatus.pl options Activates an entry or group of entries Ns-activate.pl Activates an entry or group of entriesNs-inactivate.pl Inactivates an entry or group of entries 29 ns-activate.pl options Shows in-progress status of replication Repl-monitor.pl Monitors replication status31 ns-newpwdpolicy.pl options 32 repl-monitor.pl options Where Schemadirectory script uses the default schema directory Schema-reload.pl Reload schema files dynamically33 schema-reload.pl options Verify-db.pl Check for corrupt databases Command, then it uses the default database directory 34 verify-db.pl optionUsage information Information to collect before contacting HP How to contact HP technical supportContacting HP HP authorized resellers Related information HP-UX Directory Server documentation setSupport and other resources HP-UX documentation set Troubleshooting resourcesTypographic conventions This document uses the following typographical conventions TIP Overview of ns-slapd Finding and executing the ns-slapd command-line utilitiesExports the contents of the database to Ldif Utilities for exporting databases db2ldif Imports Ldif files to the database Utilities for restoring and backing up databases ldif2dbTable A-1 db2ldif options Table A-2 ldif2db options Utilities for restoring and backing up databases archive2db Utilities for restoring and backing up databases db2archiveUtilities for creating and regenerating indexes db2index Table A-5 db2index options Glossary 247 Bind rule Glossary CoS definition 249 GSS-API Ldap 251 NIS Proxy 253 Sasl Superuser 255 256 Symbols Statistics for monitoring and optimizing directory257 Suffix and replication configuration entries Read-only monitoring configuration entries 259 Index Database link plug-in configuration attributes 261 Distributed numeric assignment plug-in configuration Ldap 263 NsDS5ReplicaChangesSentSinceStartup attribute 265 Page 267 Index 269 Index 271